To achieve NIS2 compliance, identity security plays a crucial role. Five of the ten requirements can be addressed with this. Identity security is therefore also mentioned as an important tool in the best practices set by the EU. SailPoint.
October 17, 2024 is the effective date for the NIS2 policy. If companies have not yet started implementing it, now is the time.
Risk analysis and security for information systems
The security concept for information systems must contain rules for identities, such as
- the use of named accounts as opposed to general accounts;
- controlling privileged accounts;
- the enforcement of the principles of least privilege and zero trust;
- Proactively identifying individuals with risky access who pose a threat to the organization.
Segregation of Duties (SOD) also plays an important role in controlling and preventing business risks. The effectiveness of these rules must be measured in terms of risk reduction. Identity security provides insight into the reality of IT access and the tools to detect and correct policy deviations.
Supply chain security
Another important aspect of NIS2 is supply chain security. Companies are increasingly threatened indirectly by attacks on the identities of non-employees such as suppliers, vendors, partners, contractors and others. A successful attack on a supplier can result in the company itself being compromised and, in some cases, no longer able to act. This type of supply chain attack is becoming more common than malware or ransomware attacks and must be taken very seriously. It is critical to manage and protect all identities, including those of service providers, suppliers, consultants or partners. It is always important to ensure that you only have access to the resources you need at the right time.
Effectiveness of risk management measures
Organizations often have difficulty evaluating the effectiveness of their security measures or identifying vulnerabilities that persist despite these measures. Many people find it difficult to immediately revoke access to their employees when they change roles or leave the company. The European Commission recommends that critical infrastructure operators implement zero trust strategies and identity and access management. Such approaches imply that authorized parties only have access to the most necessary systems - and with the lowest possible rights. This can be essential for managing partner and contractor access.
Basic cyber hygiene
To ensure solid cyber hygiene, companies should have an overview of all their hardware and software – and who can access it. This also includes password hygiene. To avoid employees using the same password for all accounts, companies can rely on identity governance: This ensures automated access to an ever-growing and changing IT environment while reducing potential security and compliance risks.
The NIS2 policy also requires employees, partners and everyone within the company to be trained and sensitized on cybersecurity. According to an IDC report on NIS2 implementation, three quarters of European companies (72 percent) still need to work on offering their cybersecurity training.
Access control and asset management
The NIS2 guideline also refers to the “safety of personnel”. This is a very broad area, but it also shows that managing users is an important aspect of cybersecurity. Targeting users is a central method for cybercriminals. Role-based access control - of human and machine identities - uses different resources and authorization levels for the role of the respective user. This allows companies to adopt an identity governance approach where policies are proactively developed and implemented using AI and ML. At the same time, the context for both the user and the resource being accessed can also be included. This simplifies the management burden for IT and security teams and can ensure vulnerabilities are mitigated before cybercriminals can exploit them.
“Real-time insights into user access can create advanced indicators of identity security posture. This is especially true for ownerless or shared accounts, non-deactivated accounts, or those with high privileges. It also helps with unused rights and accumulations of access rights that can be harmful to the company,” says Klaus Hild, Principal Identity Strategist at SailPoint. “This allows high-risk situations to be identified and remedial action prioritized. And the use of AI helps generate additional insights and specific suggestions for remedial action. The result is significantly shorter response times and an overall higher level of security. If more is known about the reality of access, better IT security decisions can be made.”
More at SailPoint.com
About SailPoint
SailPoint is a leader in identity security for the modern enterprise. Enterprise security begins and ends with identities and access to them, but the ability to manage and secure identities is now far beyond human capabilities. Powered by artificial intelligence and machine learning, the SailPoint Identity Security Platform delivers the right level of access to the right identities and resources at the right time.